Moment of truth in cyber cover
Along with about 112,000 others I got an email from Air New Zealand last Friday, advising me about ‘‘an incident that may affect my data’’.
What this was code for was that the company had suffered a data breach and not a small one with over 100,000 people affected.
Although the email was quick to tell me what data had not been hacked – including password and credit card details – it failed to actually tell me what details of mine that were vulnerable.
Reading between the lines of the pleasantly vague missive, it sounded like the nasties had access to Air Points numbers, full names and emails, and subsequently it’s been reported that they might also have access to some passport details.
Of more concern to me than the vagueness of the email is how long it took to send it. Evidently the airline first knew of the phishmail enabled hack on July 31, but didn’t let potentially affected people know until August 9.
That’s a hell of a wait and a bit longer than the European Union privacy best practice period of 72 hours.
The breach is likely to prove expensive for the airline, both in terms of the technical resolution of the problem, but also given the extensive customer liaison work that is required and the loss of business that might result.
Hand in hand with this is the loss of trust, the crown jewel of any airline – just ask Malaysia Airlines.
Right about now the risk and compliance teams at Air New Zealand will be dusting off their cyber insurance and seeing exactly what they are covered for and what they aren’t.
The theory behind insurance is that it’s cheap when you need to claim, but expensive when you don’t. Depending on the way theoretical risk maps to practical claims, it can be a good gig to be in.
In the case of cyber insurance, it has been a great gig to be in. It’s been growing at 8 per cent a year and is destined to be worth US$248 billion (NZ$385b) by 2026 based on Gartner data.
Personally I’ve always been a little cautious about the benefits to business of cyber insurance, for four reasons.
First, much of cyber crime is old crime in new digital bottles. If you take a decent look at your existing business insurance around theft and loss you may find you are already covered.
Second, cyber policies have often had a lot of exceptions and exclusions. In addition, some are bringing in exclusions associated with management responsibility. So for instance if management have not ensured that all software patches are in place, then the insurance company is not liable.
Third, the premiums of cyber security policies have been historically pretty damn high relative to traditional criminal activity policies.
Lastly, until recently I wasn’t aware of any cyber insurance that covered reputational damage and loss of trust, exactly the situation that Air New Zealand may be in.
As a result of all the above, across all the businesses that I have been involved with I’m not aware of one that has successfully made a claim under a cyber policy. But that’s potentially about to change.
In July, American banking and finance group Capital One disclosed that a person had hacked its IT systems, resulting in the loss of personal data relating to 106 million customers.
The company advised that the breach may result in costs of up to US$150m this year. It also advised that it had a US$400m cyber insurance tower in place to cover ‘‘certain costs associated with a cyber risk event’’.
This tower of cover is spread across a basket of re-insurance carriers who are about experience first hand a sizeable claim under a cyber policy.
The Capital One claim will provide a very public datapoint on the costs and benefits of holding cyber cover.
Depending on the size of the hack, and whether rumours are confirmed that other financial institutions have also been hacked, it will also be a pivotal event for reinsurance carriers pondering whether it’s a market they want to be in.
None of this means a company shouldn’t consider taking out a cyber insurance policy.
But it does mean that before you sign up to one it’s probably worth asking your risk team if they have talked to another company who made a successful claim under the same policy. And perhaps ask the same question of a company that weren’t successful.
Air New Zealand might be asking itself that very question now.
I’ve always been a little cautious about the benefits to business of cyber insurance.